wine users - Mar 2008 - Alexandre says "let the newbies run as root"

I don't agree with him, but there you have it.


---------- Forwarded message ----------
From: Alexandre Julliard <julliard at winehq.org>
Date: Fri, Mar 21, 2008 at 1:32 AM
Subject: Re: loader: more stringent sanity check
To: Dan Kegel <dank at kegel.com>
Cc: wine-devel at winehq.org


"Dan Kegel" <dank at kegel.com> writes:

> Many, many newbies are running wine as root without
 > really needing to.  They are much more likely to screw
 > up their systems this way.  Are you saying we should stop
 > advising against this?

 I have seen very little evidence that anybody screwed up their system by
 running Wine as root, I think that's just paranoia. Of course it's
 possible in theory, but you can screw up your system by running 'cat'
as
 root too, that doesn't mean it needs a warning.

 Pretty much the only case I'm aware of is someone's system rebooting
 because an app was searching through /proc and triggered the watchdog.
 That shouldn't be hard to avoid, and it's really minor compared to the
 thousands of people who reboot their box as normal users just by
 starting OpenGL.

 So yes, I'd say stop the "don't run as root" crusade, and fix
the actual
 problems that running as root causes, if there are any.

 --


Alexandre Julliard
 julliard at winehq.org

I think it's a bad idea.
There is not much harm until you see what the .NET is doing once installed.

The .NET is poking it's nose in pretty much the whole Linux file system and
it would not be to hard to make a .NET virus searching for Linux data files
changing them as it wants.

On the other side, I am against every restriction which you can't turn off
(like in Winecfg) if you wish it to, I am already suffering too much under them.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 21 March 2008 07:52:27 am Dan Kegel wrote:
> I don't agree with him, but there you have it.
>
>
> ---------- Forwarded message ----------
> From: Alexandre Julliard <julliard at winehq.org>
> Date: Fri, Mar 21, 2008 at 1:32 AM
> Subject: Re: loader: more stringent sanity check
> To: Dan Kegel <dank at kegel.com>
> Cc: wine-devel at winehq.org
>
> "Dan Kegel" <dank at kegel.com> writes:
> > Many, many newbies are running wine as root without
> >
>  > really needing to.  They are much more likely to screw
>  > up their systems this way.  Are you saying we should stop
>  > advising against this?
>
>  I have seen very little evidence that anybody screwed up their system by
>  running Wine as root, I think that's just paranoia. Of course it's
>  possible in theory, but you can screw up your system by running
'cat' as
>  root too, that doesn't mean it needs a warning.
I would still recommend at least a warning, if not absolutley refusing to run 
as root, if only to enforce best practices.  Wine is apparently newbie fodder 
these days:  They probably don't know better regarding root permissions in 
general.  Remember, ubiquitous root-equivalent privleges by default is one of 
the the things that has helped fuel the security cesspool in the Windows 
world; this security model is probably one wine should be deliberately 
incompatable with outside it's own emulated environment.
>  So yes, I'd say stop the "don't run as root" crusade,
and fix the actual
>  problems that running as root causes, if there are any.
What's wrong with enforcing common sense and using the OS's security
model,
exactly?

- -- 
Paul Johnson
baloo at ursine.ca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH5BsrUCxPKZafKh0RAmM/AJ9KNftSKd2esVn653cQrG6tYq8LmwCgp5wy
UqsgbVyZaupdXMjAWH7jfNU=L/mG
-----END PGP SIGNATURE-----

One example:

"this directory is not owned by you" affecting users in 2 ways:

1. Users of distributions which file system is 90% owned by root, thus forcing
them to use root if they legitimately want to use a software installing things
in the tmp directory (in some distributions owned by roots).

2. Some people on dual system placing their documents on a Windows partition on
FAT system.
Please don't tell me that FAT is more than old - it is.
However as long as I am not 100% free of dual booting on Windows, I have to save
my documents somewhere that they can be saved and reached on on both sides. ntfs
is not possible at the moment and Linux partition is not seen on Windows.

When I am using Trados, I am not duplicating the translation memory. It is saved
on a fat partition and I can at any time reuse it from the Trados installed on
Windows. Using Wine as it is would have not let me using the same file for both
instances and duplicating the memory goes against the purpose of the software
(always finding old translated units).

If I would have not found the way to remove this limit, this would have let me
to either forget about using Wine or using it as root because otherwise I would
only access what is on /home/username.

For this reason, If I had a button in Winecfg for "permit the root
ownership for z:/tmp or z/windows/", this would help people using java or a
windows partition not having to use root.

Using root is also a misconception that a software HAS to run as root to
function. Trados under Windows known to have to be installed/used as admin or it
doesn't work properly. It is not that the newbee is meaning it badly - he is
just making what he does under Windows.

Timeout message was not here where I posted.

Sorry to say Timeout uses a completely invalid method to get access to the
windows partition.  Cause lack of Linux/Unix skill the one of the very reasons
why I want root usage forbin out right forcing users to find the correct
solution.

Vfat mount options
> uid=value and gid=value
>     Set the owner and group of all files. (Default: the uid and gid of the
current process.)
> 
Notice something edit fstab put your uid there on the fat drive and you can
write to it freely.  No reason to be in root at all.  So thank you for putting
you complete system at risk for no good reason Timeout.  Now if you had been
locked out from doing it you might have found the correct solution.

Gets even more powerful you can even override default assigned permissiins
> umask=value
>     Set the umask (the bitmask of the permissions that are not present).
The default is the umask of the current process. The value is given in octal.
> dmask=value
>     Set the umask applied to directories only. The default is the umask of
the current process. The value is given in octal.
> fmask=value
>     Set the umask applied to regular files only. The default is the umask
of the current process. The value is given in octal.

Now using the masks you could even give a group full read write to the drive and
give a set of users full read write access to it.

Now were was this gold mine of information "man mount"

http://en.wikipedia.org/wiki/Fstab  << little guide to Fstab.   Note
umask=000 means all users on the system have free rain to write to the file
system.

Now please find something that truly needs root.  Not something that is just
lack of skill.  There is basically no good reason I know of to be running wine
as root.   Network access features it needs under linux can be enabled 1 bit at
a time.   All filesystem accesses can be corrected threw valid means.  Maybe
there is a need on NON Linux platforms.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please use the mailing list, not the forum, as the forum is breaking threads 
and not setting up quotes correctly, making forum posts nearly unreadable.

On Friday 21 March 2008 11:15:45 pm Timeout wrote:
> One example:
>
> "this directory is not owned by you" affecting users in 2 ways:
>
> 1. Users of distributions which file system is 90% owned by root, thus
> forcing them to use root if they legitimately want to use a software
> installing things in the tmp directory (in some distributions owned by
> roots).
/tmp should be owned by nobody:nogroup with a mode of 777.  Otherwise, 
everything else you said applies to most (all?) distros out there.  This is 
NOT a legitimate reason to run wine as root.

- -- 
Paul Johnson
baloo at ursine.ca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH5X3mUCxPKZafKh0RAqbrAKCLpvbaq0kLFwrPqyLTDhdb4xR1DACgk6cw
tKZkcVd+PPJgz94nylA5Qe4=muML
-----END PGP SIGNATURE-----

Paul Johnson what I said about Windows Administator is true.

The user that matches Root on Windows is System.   A user that without hacking
cannot be logged in on.

As system you can delete files in USE.   As Administrator you cannot.

As system you have resource access Dominance.   As Administrator you will yield
to system processes and services.  Of course Administrator has more dominances
than limited users.

Basically using root you can stuff up databases and other things if you tie up a
device.  Yes the hidden account that matches up to root on windows.

To make Linux have a user like Windows Admin.
1. selinux or equal to assign extra privileges to a non 0 user or remove device
dominance privilege from root.   Removing the delete files in use is a little
hard.
2. Have some form of containers to control root user from taking dominance.

All distributions out there I know don't do either yet. 

Scale of damage a run away process as root is many times worse than a run away
process as Windows Administrator.

Ok So we have a forum bug.  Sorry not on mailing list.   Got too many lists all
ready on my email account.  Thinking the forum is here to stay the bug has to be
fixed.

Yes I do know how to quote just I was lazy because the message was targeted at
one person and I include the source to find it in the instructions "man
mount".

PS Paul Johnson never under estimate my means to abuse the English Language.
"Root permissions are past anything windows users are use to."  Yes I
was being evil using implied verb(dropping the are) to give force to statement. 
Also saying a sentence with double are in it suxs.  It is a technically valid
sentence even that no grammar checkers out there would pass it.

Maybe

But I feel like somebody cutting my hand because thieves are using hands.
Like you said, users are using root for some reason and one has to understand
*why* they are doing it.

For my purpose I removed the check and I am using the software as usual as user,
but telling people having a problem with Java just to go back to 0.9.49 is not a
solution either.

I remain to the fact that if no .wine directory were created as root then .wine
would not have root's right from the first place because it would be
installed as user. Other checks should be made non compulsory.

Thoose books are designed to be done a little in order.

http://tldp.org/LDP/sag/html/filesystems.html  Yes the system administrators
guide covers fstab.

Linux does have really clearly define roles.  Users need to know nothing about
the system.   Person setting the system up to work right is a Administrator.  
All the guides on the tldp are written in the simplest English able some are
even translated to other languages.

Linux admin first concern is normally not viruses.  But things running at wrong
security levels creating risks.    Run all stuff were able unable to break
machine and the worse you risk is losing a user and what they can write to.  If
you have backup of that area fixing is simple.  Restore backup.  Note no need to
have a backup if the data is not important either as long as the rest of the
system was not affected recovery is simple.

Second is a operation Host Intrusion detection system  ie HIDS.   HIDS don't
need updated signatures to find viruses.  It working the other way.  These files
are known good is there anything here I don't know method.
  Far more effective than any Anti-Virus could be.  All unknowns are detectable.
This is also backed up with a rootkit hunter of some form like
http://rkhunter.sourceforge.net/ to make sure the HIDS is not being fooled into
thinking stuff is not altered when it has been.

Third Backup system.

Forth applications users are running and there risks.   This includes wine
contained to a single user.  clamav with real-time scanning addon can come into
play.  Or a user that if you lose you don't care since it has no important
access.

Linux Admin concern list is different.   If you do the first two takes out a lot
of problems.   True Linux viruses are very rare.  More likely to get rootkited
by a Linux rootkit and used in a bot net than a Linux virus.
  
It is nothing special for a Linux system to upgraded and upgraded and never
reinstalled for the complete hardware life of the machine.  Something windows
users normally never see.   Most common reason to reinstall is trying other
distros.  Next rootkit infection/Security breach.   Then bad distro upgrade. 
Finally Administrator error.

Please note wine is quality status Beta so you don't call that  beginner
software either.  So some more administrative skills are required to use it
right.  On top of that.  Installation of software and setting of global 
permissions is normally the sole domain of root/Administrator on Linux.  So
using wine to its full does require some administrative skill to alter
permissions to allow exactly what you want.   If you were happy using external
media or stuff like that for the transfer you would not need to know how to
alter a fat partition in fstab to make it mount read write to users you want to
access it.  Pushing envelope is forcing you to need more skills sooner Timeout.

Ask in a suse channels(forum/irc locations) if yast has a graphical fstab
editor.   Most distros have there own custom forms of it.  The /etc/fstab file
is the same on all distros so long term people like me just learn to edit that.

Please get you order of worries around the correct way Timeout.  Windows order
of worry is just wrong for Linux Unix Mac... Basically everything bar Windows.

There is a setup error introduced by a change in 0.9.49.
I made a regression test and I noticed that the difference between the setup
error and the installation continuing (with patch reverted) was java classes
installed in z:/tmp.

On Sun, Mar 23, 2008 at 4:28 AM, Timeout <wineforum-user at winehq.org>
wrote:
> There is a setup error introduced by a change in 0.9.49.
>  I made a regression test and I noticed that the difference between the
setup error and the installation continuing (with patch reverted) was java
classes installed in z:/tmp.
Which patch introduced the problem?

Is there a bug filed for this yet?

Dear Dan,

I removed the bug for it. It was 10584 but in the description of the bug it was
not clear to me at the beginning what caused it. Afterwards, I started to remove
the last lines of the patch on my own GIT and went on with the next setup
problem.

Timeout wrote:
> Dear Dan,
>
> I removed the bug for it. It was 10584 but in the description of the bug it
was not clear to me at the beginning what caused it. Afterwards, I started to
remove the last lines of the patch on my own GIT and went on with the next setup
problem.
>
>
>
>   
Timeout:

Please, please, please file a bug for this.  If you know the code that 
caused the error, please put it in an attachment to the issue.

Thank you.

James McKenzie
>
>

It's not about the installation of Java. It's about the installation of
Software USING Java.
For my part, the java installation hanging is not affecting Java's running.
It's a cosmetic error because when running the installation for the second
time, it does go through. Last tested on 0.9.56, Java was still running.

Affected string that I remove:
config.c

if (st.st_uid != getuid()) fatal_error( "%s is not owned by you\n",
config_dir );

> 
> 
> I'd look at finding alternatives to the software you use in Windows and
use
> wine as a last resort; you'll find native versions to be less
problematic
> than emulating a legacy environment like Windows. 
> 
> 

Open Source? Please! Tell graphic people to use Gimp instead of Photoshop.
What I am trying to run is the widest used tool of my market, developed over
more than 25 years, partially owned by Microsoft and offering the best tools for
converting the widest range of files format.

Because clients don't want to send their text as txt. They want to send it
in the format they had been created and get it back in this format. This tools
saves us for having to bother having to buy QuarkXpress, Indesign, Framemaker or
bothering with the tags of html or scripts because it does not come to the mind
of clients wanting to reformat the files they get. Open source is best for
translators but not for agencies last responsible for checking the text or
reformatting the mess that translators made.
 

> 
> I'd look at gaining actual experience instead of wasting time
needlessly
> reinstalling when you have a working system.
> 
This has nothing to do with experience. That's a problem of graphic card not
properly recognized and things turning bad when there is an update of the driver
kernel/problems with drivers. And I am still updating my drivers because they
have still issues.

I personally don't care about what you are thinking of me. I am getting my
software to work apart from some menu problems, macro loading problem within 
Word, licensing or cursor issue.
To that point it's pretty much irrelevant what Wine is doing.
And as I got this error, I was not running as root, I was using it user, using a
packaged Wine that I installed using Yast as User.
Furthermore, I didn't change the title which broke the thread.

Now go on your own as your wish. I will continue to adapt Wine to my software in
my back garden.

> 
> Never mind that even the latest MS office versions support Open Document 
> Format since it became the ISO standard for office documents, and ODF is 
> already well supported by office software.  Your "nobody wants to
exchange
> txt" is a strawman.
> 
> If you hate open source so much, why use Linux or Wine in the first place? 
Or
> is this a case of misguided anger generated by ignorance?
> 

I am not hating open source, I find it great and I love my linux box.

Fact is, that since I set up my company, I have seen many kind of documents,
even under PowerPoint for Office 95. I have yet to see the first ODF document.
Trados is supporting ODF but what's the point, I have never received one and
we are not the one to decide in which format the texts are coming.

Please ask around any translators if they see many ODF. That will be the first
indicator of it being used by business and not what governments are saying.


> 
> You still don't need to reinstall just because your drivers go
south...boot
> from a rescue CD and fix from there.  About the only time you really need
to
> reinstall is if your system gets compromised...
> 
I need to reformat the home partition because otherwise I have a ghost
partition. Telling me I have  2 GB used and 5 GB free out of a 86 GB home
partition. For my purpose it's to small.

Timeout wrote:
> It's not about the installation of Java. It's about the
installation of Software USING Java.
> For my part, the java installation hanging is not affecting Java's
running. It's a cosmetic error because when running the installation for the
second time, it does go through. Last tested on 0.9.56, Java was still running.
> 
> Affected string that I remove:
> config.c
> 
> if (st.st_uid != getuid()) fatal_error( "%s is not owned by
you\n", config_dir );

Timeout this is not a bug. It's because you have run wine in the past as
root. This causes some of your wine configuration files to owned by root instead
of the normal user. You can fix this by changing the permissions of the .wine
directory and its contents. Run the following command and replace username with
your user name:

$ sudo chown -R username:username /home/username/.wine

Hope it helps.

Now you are telling me instead of using the standard setting of my distribution
I will have to change the whole setting of my distribution to please one
software. I will keep on changing that one software to match my hardware. After
all, I am grown-up and I don't have to be protected against myself. If I
want this attitude, I can remain by Windows and save me the hassle.

I am not going to do that. Are you going to tell all users with the same
settings to make sudo?

Maybe my incompetence is reaching the water of the arrogance. And about the
discussion about incompetence and ODF that's pretty much out of topic. And
forcing one's liking to the client's need is the best way to close the
business. I know somebody who probably lost her clients because she was sending
docx documents and the client was not ready for them (using officeXP).

I think this thread has wandered way off topic...

Paul Johnson ?rta:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sunday 23 March 2008 12:19:00 pm Zoltan Boszormenyi wrote:
>
>   
>> Sorry, are synaptic and aptitude "single comprehensive interface
to
>> DPKG"? Come on! :-)
>>     
>
> synaptic and aptitude both use the apt framework; the differences between
them
> are minor at worst.
>   
So as pup/pirut/yumex use the yum framework, minor differences in the GUI...

Best regards,
Zolt?n B?sz?rm?nyi

Now next question about Viruses:

You are starting from the point that I will get viruses.
Just by using Trados, an off line tool which is at the most checking another
instance of a network because of licensing.

How are you assuming that I could get that virus. You can stop altogether
working on the BITS or on auto-updates on software.

Can't you simply start by not allowing uncontrolled connexions to the
Internet (like adding an offline-modus in winecfg instead on blocking the root)?
The virus I got on Windows was per auto-upload, even with 2 firewalls, a router
and an antivirus.
The concerned software was refusing to open without being able to check the
license online, thus one had to allow it. Someday it autoupdated with a virus.

Don't you think the first concern would be no automatic download of
executables? I don't think getting an answer about a license is an
executable.

If you don't have yet understood what I had been saying for two days, forget
it, you won't.

Now the bank holiday is over, tomorrow I will have too much work to bother about
it.

I am removing this string to be able to run it as user.
Someday I will reinstall it but what I am doing is solely my problem. Instead of
blocking things you should take care of no auto updates or faking an offline
mode if required. This will be more of effect than blocking everything as a
protection against viruses.
The .NET is switching permissions as it needs anyway.

On 24/03/2008, Mark Knecht <markknecht at gmail.com> wrote:
 > On Mon, Mar 24, 2008 at 9:50 AM, Paul Johnson <baloo at ursine.ca>
wrote:

>  >  What reason would one EVER need to run end-user software as root in
the first
 >  >  place?  Wine or not, that's just terrible practice.

 > In Linux I agree. In Windows there is lots of software that requires
 >  folks to install and/or run as administrator. I sometimes suspect that
 >  some Wine users, nebies mostly, get confused about the difference
 >  between the two.



Yes. This will remain an eternal source of confusion.



 >  As much as I like Wine I am even concerned about running it in my
 >  regular user account as it seems to me someone could write a Windows
 >  program that then erases all my Linux user files, etc.



Hmm ... how usable do you find this in practice? What safety do you
 get from running it as a different Unix user that you wouldn't get
 from just disconnecting Wine's "home" drive and Z: drive (the
whole
 file tree)?



 - d.

James Hawkins  	PostPosted: Mon Mar 24, 2008 11:33 am 
> There's nothing special about Wine. Someone can also write a Linux
> program that erases all your user files.
> 
> James Hawkins
Yes I can write a program to nuke a Linux system.    There is some things
special about wine.

It allows operation of applications from the Most virus plagued OS on earth. 
And by its own operation does not have any built in defenses.

New users from windows think everything needs Administrator to work. So abuse
wine.  This is a key factor.  Abuse wine.  Using it when it should have never
been used that way.

Finally running as root needs care.   Like I have screwed up a database in the
past by coping large section of data and blocking the database from writing to
disk.  Wine does cause High CPU load and Resource usage at times.  Reason why
comparing to cat or something else kinda does not cut it.  Most applications
that operate as root by normal use create those effects.  Normally applications
that have the risk of this at least change to a different user to reduce system
wide risks.

Now that should at least show a little care.   Running as root would not be as
large of issue if wine did not have these problems with users and operation.

By the way not one person has come up with 1 valid reason to run as root.

Only reasons have been incompetence.  Sorry to say I don't take that
lightly.  Same as another section from what I see we need to lock root of and
give the uses links to documentation to do it right cure the incompetence.   We
have to take responsibility for the program that is being created.

That maybe on bsd or something L.Rahyen.

Austin English wrote:
> Some wine functions require root access, ICMP ping for instance. 

http://www.ibm.com/developerworks/library/l-posixcap.html?ca=dgr-lnxw01POSIX-capabilities

Ping does not require root on 2.6.24+ Linux kernel or any older Linux kernel
with selinux or smack LSM's.

On Linux platforms the time of wine requiring root is past.  With upto date
Kernels you would set capabilities instead.   This does not allow system wide
damage.  Since only the segments need to be given to wine.  All the ones I have
seen are network related.

Older kernels you create profiles.

Missed the best bit.  Using a loader program running as root under older Linux
kernels it could assign the capabilities and still run wine as a normal user
with the network access it needs.

All that is really in 2.6.24 kernel is a simple way to avoid having to run
security raising  program to get there or use a LSM.

So the need to have wine itself running as root is well and truly passed on
linux.

> Missed the best bit.  Using a loader program running as root under older
> Linux kernels it could assign the capabilities and still run wine as a
> normal user with the network access it needs.
>
> All that is really in 2.6.24 kernel is a simple way to avoid having to run
> security raising  program to get there or use a LSM.
>
> So the need to have wine itself running as root is well and truly passed
> on linux.
>
Not everyone that runs Wine does so on Linux though.  I personally run it
on OS X - as do many others.  I dont doubt there's people running Wine on
other *nix variations as well.  Solaris, FreeBSD and OS X are mentioned on
the front page of wineqh.org as working with Wine, not to mention there
are binary downloads for Solaris, FreeBSD, PC-BSD and Windows linked to
from the download page. And instructions for building Darwine on OS X are
available from Wine's wiki as well.

Just because it works in Linux doesn't mean its perfect.  OS X for example
cant create a socket of type SOCK_RAW without root.

Windows one on the download page should be deleted.  Reason its out of date. and
its only a dll testing system not a full version of wine.  Gives me too many bad
questions in winehq on freenode.  It gives too many people the wrong end of
stick.

Solaris I can talk on it has another way
http://blogs.sun.com/casper/entry/solaris_privileges No root required there. 
What is needed for wine can be give threw the default security system even
better on a per process base.  Root user there has been past for many years.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-tuning.html
Freebsd found 1 really two this covers PC-BSD as well.  But pure default root is
not where wine should be running instead in a Freebsd jail preventing system
wide harm.

Note Since OS X is freebsd related it might be the same.  Still no reason to be
running as pure uncontrolled root if it has the FreeBSD system.  Some one with
OS X skill need to research this.

Problem still is that users are going to use it wrong.    Not read the Security
of the OS and put the complete OS at risk.

So Linux and Solaris builds root should be just baned out right.   Systems have
a correct way around it.

Note trustedBSD has close to the same as Linux posix capabilities main freeBSD
Line decided not to merge that at this stage but keep the jail system.

Most new FreeBSD would lack the skill to create a jail correctly to reduce wine
to the same as a Linux capability boost.

Some how a generic security raising setup is needed.

Solarias, trustedBSD and Linux due to there permission system could be dynamic
on a application by application base without major complexity. wine like sudo
interface could even be used allowing admin to limit what users can even use the
enhanced features.  Since the user will be returned to there normal user with
normal user filesystem access just with more network access.

Freebsd with jails will be messy.

Now if OS X only has old chroots we have a problem.   If that is the case OS X
users should be yelling a apple to lift there game one way or another.

Really we should not be light about this.  Would have though in this day in age
on a BSD Linux *nix OS these kind of limitations would be standard.

Ok as it turns out FreeBSD and Linux have gone two different ways to get there. 
There is still no valid reason to leave most of the install base using the wrong
thing for there system.

I was hoping that people would at least have responsibility to research the
other systems.  Not just try to create a vague list of reasons.  Linux is my
most common system.   There might even be a better way on freebsd.